Hi everyone,
I’m having trouble configuring mutual TLS with my keycloak server, whatever I do my browser never prompts me for my certificate.
I know my browser (firefox) supports it as it is working perfectly on my nginx or apache servers.
Here’s what I tried:
- Follow the documentation and added a “x509/Validate username form” step before the “Username password form” in a copy of the browser flow and bound it to the browser flow. I also though of setting its requirement as “alternative” first, then required
- Set up TLS on the keycloak server as it was previously only handled by my reverse proxy. Tried both with pem certs and jks keystore. Set up jks truststore.
- Tried
openssl s_client -servername <public_hostname> -connect localhost:8443 -CAfile <cafile>
which returned a verify code 0 (ok) - added
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert
to my reverse proxy (nginx) and added--spi-x509cert-lookup-nginx-ssl-client-cert=X-SSL-CERT --spi-x509cert-lookup-nginx-certificate-chain-length=10
to the start command of the container as per documentation.
I did not add the--spi-x509cert-lookup-<provider>-ssl-cert-chain-prefix=CERT_CHAIN
parameter as I could not find any vars in the nginx documentation (https:// nginx . org /en/docs/http/ngx_http_ssl_module.html#variables - sorry new user, can’t use more than two links) containing the cert chain, I figured the chain set on the server should be enough, but maybe I’m mistaking? If so if someone knows how I can retrieve it from nginx I would love to learn how to. - Enabled debug on keycloak and can clearly see the issue, cert is not available, since I’m never prompted:
keycloak-test-keycloak-1 | 2023-03-29 20:49:20,387 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) check execution: 'auth-x509-client-username-form', requirement: 'REQUIRED' keycloak-test-keycloak-1 | 2023-03-29 20:49:20,387 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) authenticator: auth-x509-client-username-form keycloak-test-keycloak-1 | 2023-03-29 20:49:20,388 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-0) Selections when trying execution 'auth-x509-client-username-form' : [ authSelection - auth-x509-client-username-form] keycloak-test-keycloak-1 | 2023-03-29 20:49:20,390 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) invoke authenticator.authenticate: auth-x509-client-username-form keycloak-test-keycloak-1 | 2023-03-29 20:49:20,391 DEBUG [org.keycloak.services] (executor-thread-0) [X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL. keycloak-test-keycloak-1 | 2023-03-29 20:49:20,391 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) authenticator ATTEMPTED: auth-x509-client-username-form keycloak-test-keycloak-1 | 2023-03-29 20:49:20,392 WARN [org.keycloak.services] (executor-thread-0) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
One last thing, I’m using certificate from Yubikey, I know it works as my other websites with nginx/apache frontends with MTLS do detect the certificate on it, nevertheless I also did try with a cert file imported directly into firefox with no more luck.
Can someone help me see what I’m doing wrong here please?